bennybutler
asked on
linux router question
I have two networks, 192.168.1 and 192.168.2.
Between them sits a linux box, running iptables. Actually it's a snapgear 530, but that shouldn't matter, it's just an embedded linux.
I want people on the two networks to be able to access machines on the other, but I don't know how to tell it to do this.
I don't want NAT, FULL access to everything... I'll then restrict stuff with IPTABLES.
I'm just not sure how to tell it to do this?
I do know I need to put a route command on my firewall to tell machines to back up and try the other router.
Thanks
Between them sits a linux box, running iptables. Actually it's a snapgear 530, but that shouldn't matter, it's just an embedded linux.
I want people on the two networks to be able to access machines on the other, but I don't know how to tell it to do this.
I don't want NAT, FULL access to everything... I'll then restrict stuff with IPTABLES.
I'm just not sure how to tell it to do this?
I do know I need to put a route command on my firewall to tell machines to back up and try the other router.
Thanks
P.S. If the firewall is for routing (e.g. one segment on LAN and one on Internet), you would turn off NAT in the Advanced IP Configuration screen as well.
ASKER
Here's where I'm at.
Router is on both networks, 192.168.1.14/192.168.2.14
Gateway on 192.168.1.1 tells all machines to use 2.14 to get to 192.168.2 network.
It works great, any machine on 1 can get to any machine on 2.
Problem is, snapgear wants to play firewall, so anything on 2 wants to be NAT'd to get to 1. I don't want or need NAT, I just want it to treat the 'internet' interface the same as it does the 'wan' interface.
Router is on both networks, 192.168.1.14/192.168.2.14
Gateway on 192.168.1.1 tells all machines to use 2.14 to get to 192.168.2 network.
It works great, any machine on 1 can get to any machine on 2.
Problem is, snapgear wants to play firewall, so anything on 2 wants to be NAT'd to get to 1. I don't want or need NAT, I just want it to treat the 'internet' interface the same as it does the 'wan' interface.
ASKER
maybe I need to create a reverse of this:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12 720 EstabRelFwd all -- * * 0.0.0.0/0 0.0.0.0/0
6 360 LanFwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 WanFwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 DefDeny all -- * * 0.0.0.0/0 0.0.0.0/
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12 720 EstabRelFwd all -- * * 0.0.0.0/0 0.0.0.0/0
6 360 LanFwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 WanFwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 DefDeny all -- * * 0.0.0.0/0 0.0.0.0/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If the firewall is also providing access to the Internet through the untrust interface ("internet" on a SnapGear), you can set up a second IP address on the LAN interface. Do this in Advanced IP Configuration from the IP Configuration screen. You will also need to set up appropriate rules to allow traffic to pass between the two segments.
If the firewall is strictly being used for routing between the segments, you will probably already have the IP addresses set up for the two segments on your LAN and Internet ports. From here it is a matter of configuring the rules / port forwarding to allow traffic to pass as you want it to.